1. jcyph3r's Avatar
    On iOS4.1 there is ZERO builtin capability to view or configure ipv6 settings. You all probably know that iOS4.x has a working ipv6 stack that will autoconfigure itself on a wireless network if you give it an ipv6 router advertisement. This is a glaring gap in native iOS functionality. Hopefully Apple will fix this in iOS4.2, but meanwhile modders should have at least a commandline app to handle this situation. I do see that from the cmdline, you can use ndp -a to view ipv6 addresses. But netstat, ifconfig, route, and python socket etc are all ipv6-ignorant on iOS with the cydia packages that you would think would display or configure ipv6.
    2010-11-13 02:15 AM
  2. afterdinnerdip's Avatar
    Wake up and smell the c0ffee!

    A topic like this one about IPv6, which is (or shall be) of increasing interest to everyone who is reading this, should no longer be neglected in my opinion. So to bring all the people who regard themselves as n00bs up to speed here's something to chew on.

    Just as the OP said two years ago: Apple's devices have IPv6 enabled and listening to so called router advertisements. Yet, even at this stage of IPv6's readiness there is a remarkable ignorance of developers and end users, both consumers and professionals. People keep "leaving it alone." and refuse to take more than notice.

    I suspect this occurs largely due to the fact that most people are intimidated by the size of the IPv6 namespace. So people try to grasp it by relating to what they already know: IPv4. The intimidating feeling can however be stopped when people start facing this stuff. Stop thinking in "amounts of available IPv6 addresses" and start talking about IP groups. For example one group is usually called a "slash 64" (/64). And people usually are permitted to use more than one of those groups.

    For those still reading -- yay! -- let's continue.

    why is it important to talk about IPv6?

    I'll tell you. Thanks.

    On the Internet people have known since, say, the beginning of this century it's normal to connect with our devices to a local network. The word 'local' is key. Say we talk about the network in your house. Usually a device, your iPad for example, signs on. What it does it announces its presence to the other devices in your house. One of the devices, you know, the "router" or "modem" or whatever, hears that cry for for connectivity. And so it answers by assigning to the device a local address.

    What local means is the type of address, recognisable by its numbers. A fair while ago the "Men of Lore, men with Beards" (yeah the guys who built the Internet) agreed that these specific types of addresses shall never be permitted to instantly connect to the shared space of the Internet. The device that assigned that number to your iPad is well aware of this agreement. So when you use your iPad it "disguises" your IP number with its own global address, assigned by your ISP. It is a number to which all other global addresses can (hopefully) freely connect. When the connection gets a reply the device remembers that it is related to the stuff you sent out just before so it knows to send it back to your local address. Kind of like a switching board, a guarded doorway, or more commonly coined the gateway.

    Knock, knock, Neo...
    The (not so) new IP address scheme is coming at us at increasing speed. It's called IPv6 and is as big as the sun whereas the old scheme is called IPv4 and as small as our moon. If our sun would be made of sand then it would of course consist of much more individual grains of sand than, say, the moon. Let each grain of sand here have one unique IP address. The moon's IP addresses are depleted far quicker than the sun. So now we're moving slowly from "moon IPs" (IPv4) to "sun IPs" (IPv6). For a while we'll carry them both. Until everyone has the Sun's IPs, that's when we don't need to carry one of each. And we don't need to disguise them any longer 'cause there are enough unique addresses available to give every person, animal, tree and flower a million of them. Seriously.

    So. What this means is that the guard's job is now redundant He's been fired and all devices can have their own, globally unique, globally reachable address. All things that use the Internet are technically able to reach each other, unmodified.

    In the old scheme someone would knock on the door, the guard would open, the person would say who he comes to visit and the guard would say yes or no. So your device would only be receiving traffic it either initiated, or the guard would pass on. You had some form of easy protection. With the new model you do not have that kind of protection, at least not enough, mainly due to unfortunate ignorance I believe is due to the intimidating size of it.

    Sure, there are firewalls and protecting yourself will be just as easy depending on who you ask of course. The problem is not "can I be protected", the problem is "how do I learn so I can protect myself?" We did it before, we can do it again. In fact, I believe we must.

    It's Alive!
    This means we should stop worrying about the confusing, almost unreadable "look" of these IPv6 addresses. I can't blame people for feeling a bit lost. However: by now we should just learn how to ride the wave.

    Where "" is fairly easy to read and remember, an address like 2001:0DB8:32EF:BA0:3E:1910:632:E670 certainly is not. Tough luck then. I bet the kids growing up in the year 2032 will disagree.

    Today the real guards, e.g. companies and end users, just do not want to face reality:

    This new network is already working and it's growing very fast.

    Your iPad can have an IPv4 and an IPv6 address and can now be reached by everyone, far more easily because the guard is only monitoring your old IPv4 network.

    This means that, as a figure of speech, the key logger you might have unwittingly installed and never knew about, just got upgraded. Suddenly it suddenly not only able to transmit out to someone... now it is able to open the door to whoever wants to come in.

    I noticed that mobile providers, at least in my country, are actively passing out IPv6 addresses to all connected phones. It's here and it's real, people. Wake up. All phones can carry malicious applications and an attacker has the ability to contact all these phones easily.

    Becoming educated
    We should get rid of basically the only form of protection that remains with regards to IPv6, one of time and faith a.k.a. "let's hope that there is not some device connected that is allowed to pass out an IPv6 to all the devices." If there is and you are not aware of it (which luckily is not that common, don't get intimidated!), then each device can be contacted easily.

    IPv6 must get attention. Besides, it also has many fun aspects. So vendors, programmers and so forth should start learning about it and give us good tools. But not only they have to learn about it... We must all reeducate ourselves lest we stay unaware of the many insecurities.

    The common people are still in denial and refusal learning about IPv6... unless there is something to gain. Think about it. Safety seems to have lost its attractiveness to many of ya, or not?

    Where are the proper tools??
    There, now that this is off my chest I see currently there are but two programs on my jailbroken IOS 5.1.1 device: ip6conf and ip6fw.

    	Start up IPv6 on ALL interfaces:	-a
    	Shut down IPv6 on ALL interfaces:	-x
    	Start up IPv6 on given interface:	-u [interface]
    	Shut down IPv6 on given interface:	-d [interface].
    Unfortunately I didn't find this to be a persistent setting regardless of what you try.

    Then there's ip6fw:
    usage: ip6fw [options]
        add [number] rule
        delete number ...
        list [number ...]
        show [number ...]
        zero [number ...]
      rule:  action proto src dst extras...
          {allow|permit|accept|pass|deny|drop|reject|unreach code|
           reset|count|skipto num} [log]
        proto: {ipv6|tcp|udp|ipv6-icmp|<number>}
        src: from [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]
        dst: to [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]
        fragment     (may not be used with ports or tcpflags)
        {xmit|recv|via} {iface|ipv6|any}
        tcpflags [!]{syn|fin|rst|ack|psh|urg},...
        ipv6options [!]{hopopt|route|frag|esp|ah|nonxt|opts},...
        icmptypes {type[,type]}...
    This might be more persistent though I will need to check. In fact I found this topic because I wanted to see what this Apple device does with IPv6. Never expected it to be the rant it became..

    Go get busy
    So this was my spontaneous rant. It's it in the hands of everyone here to stop the ignorance. Learning about this stuff while your ISP is NOT yet actively passing out these types of addresses is the smart thing to do. Or maybe they are already passing them out.... How will you find out?

    Such a dramatic morph into the realm of IPv6 should be well understood on a novice level by the lot of you who has heard about "IP Address." Else why're you still readin'?

    Last edited by afterdinnerdip; 2012-05-26 at 11:53 PM.
    2012-05-26 11:17 PM